CAPI Tools: Smart card setup on 0.77 when YubiKey is used

[neilfx1]

I've been doing some testing of the new v0.77 with FIDO2 support which works great (thanks). I noticed under that there's also a new section for CAPI tools so I tried creating a new certificate through that on my YubiKey.

There seems to be a bug when you choose Smart Card/Token and create the key, the private key is stored on the YubiKey as expected however the actual user certificate is put into the user store within Windows rather than loading it onto the YubiKey. The problem with that is if I take my YubiKey for example from Machine A to my other laptop Machine B and run putty-cac there, I would have to export the certificate on Machine A, load it onto the YubiKey manually, then use it on Machine B. I had expected the CAPI wizard to load the cert + key onto the YubiKey when Smart Card / Token is used.

[NoMoreFood]

Interesting. Sometimes computers have issues automatically importing self-signed from smartcards so it could be that as well. On the "other" machine, can you try running certutil -scinfo and verify that it doesn't see the certificate that way? Which model Yubikey are you using?

[NoMoreFood]

@neilmw1 Any luck seeing if the certificate appears when you run that command?

[neilfx1]

I'll try to check this out tomorrow, sorry been a little busy! It's a YubiKey 5C NFC also.

[NoMoreFood]

I'm not sure it's related to your issue, but I found some bugs with the CAPI Tools part which I'll have fixed in a few days. Did you have a chance to run certutil -scinfo?

[NoMoreFood]

@neilmw1 Updated binaries are available here: https://github.com/NoMoreFood/putty-cac/tree/master/binaries

CAPI Tools part has been updated to use a different Windows library for self-signed certificate creation. The previous implementation was failing on some hardware keys.

[neilfx1]

I've managed to do the tests now, if I use the previous version (0.77) to generate the self signed certificate on the YubiKey, certutil -scinfo returns this:

Since you did the update (0.77-1), it spends a lot longer writing to the YubiKey which I will assume is a good sign. It also returns a lot more meaningful information:

This all looks much more positive and I can actually see it on the windows logon screen too when the YubiKey is inserted. I can also see it when I alternate between workstations in PuttyCAC so I'm happy it's working as intended now! Thank you for your help.